Configuring EVPN

The configuration of EVPN revolves around the selection of the border gateway nodes and the configuration of associated VNIs for the VRFs.

In addition, the fabric automation takes care of transparently performing various configurations, which can be verified with new show commands or with new parameters of existing commands, as shown in the examples below.

Configuring the Border Gateways

The first step involves configuring the vRouters on at least two nodes across two pods to make them border gateways. That is achieved with the vrouter-create command using the evpn-border/no-evpn-border parameter. In case of an existing vRouter, the vrouter-modify command can be used instead.

For example:

CLI (network-admin@switch) > vrouter-create name vRouter1 fabric-comm enable location border-switch router-type hardware evpn-border bgp-as 5200 router-id

Then the vrouter-show command can be used to verify the current EVPN parameter configuration:

CLI (network-admin@switch) > vrouter-show name vRouter1 format all layout vertical

id:                           c00029d:0

name:                         vRouter1

type:                         vrouter

scope:                        fabric


location:                     switch

zone-id:                      c00029d:1

router-type:                  hardware

evpn-border:                  enable

The second step is for the user to configure an MP BGP neighbor with the l2vpn-evpn parameter to point to an external EVPN border gateway:

CLI (network-admin@switch) > vrouter-bgp-add vrouter-name vRouter1 neighbor remote-as 65012 ebgp-multihop 3 update-source multi-protocol l2vpn-evpn

This configuration enables the use of the standard EVPN NLRI, which is carried using BGP Multiprotocol Extensions with an Address Family Identifier (AFI) of 25 (L2VPN) and a Subsequent Address Family Identifier (SAFI) of 70 (EVPN).

Configuring L3 VNIs

To uniquely identify VRF instances with EVPN it is necessary to specify a new l3-vni parameter during creation (or modification), like so:

CLI (network-admin@switch) > vlan-create id 1000 auto-vxlan 101000 scope fabric ports none

CLI (network-admin@switch) > vrf-create name VRF1 l3-vni 101000

As explained in more detail in the Configuring VXLAN chapter, subnets can be mapped to VRFs with the subnet-create command, for example:

CLI (network-admin@switch) > vlan-create id 12 auto-vxlan 500012 scope fabric

CLI (network-admin@switch) > subnet-create name subnet-vxlan-500012 scope fabric vxlan 500012 network anycast-gw-ip vrf VRF1

L3 VNIs also enable a new forwarding mode (see the two hop model described above), which is used for inter-pod VXLAN routing.

Once configured, you can check the VRFs with the vrf-show command:

CLI (network-admin@switch) > vrf-show format name,vnet,anycast-mac,l3-vni,active,hw-router-mac,hw-vrid,flags,enable

name vnet anycast-mac       l3-vni active hw-router-mac     hw-vrid flags  enable

---- ---- ----------------- ------ ------ ----------------- ------- ------ ------

VRF1 0:0  64:0e:94:40:00:02 101000 yes    66:0e:94:48:68:a7 1       subnet yes

Note that the user doesn't need to confgure vrf-gw and vrf-gw2 with EVPN except on border gateways connected to DC gateways for North South traffic. Traffic reaches the border gateways with the default route described in Figure 9-3 above.

Configuring and Displaying MAC Mobility

MAC mobility is handled automatically by the EVPN control plane. However, it is important to deal with duplicate MAC address scenarios appropriately. Therefore, some special parameters are available to help with the remediation in such scenarios, as explained in the About MAC Mobility with EVPN section above.

You can (optionally) configure the three duplicate MAC address parameters on a per vRouter basis with the following command:

CLI (network-admin@switch) > vrouter-create name <vr-name> evpn-dup-addr-max-moves <count> evpn-dup-addr-moves-duration <seconds> evpn-dup-addr-freeze <seconds>

When not specified, the default values are:

  • evpn-dup-addr-max-moves: 5
  • evpn-dup-addr-moves-duration: 180
  • evpn-dup-addr-freeze: 180

You can also modify those parameters with the vrouter-modify command.

For example, let’s consider the case in which those three parameters are modified from the default values and are configured to 8, 401 and 301, respectively. You can display the new values with the following condensed command:

CLI (network-admin@switch*) > vrouter-show format name,evpn-border,evpn-dup-addr-max-moves,evpn-dup-addr-moves-duration,evpn-dup-addr-freeze,evpn-border

name     evpn-border evpn-dup-addr-max-moves(s) evpn-dup-addr-moves-duration(s) evpn-dup-addr-freeze

-------- ----------- -------------------------- ------------------------------- --------------------

vRouter1 enable      8                          401                             301

vRouter1 enable      8                          401                             301

In this case, if 8 MAC moves are detected in a 401 second time window, the duplicate MAC address entry is frozen for 301 seconds to facilitate the operator in the remediation. The frozen entry and the corresponding sequence number received before the 8th MAC move can be displayed with the following command:

CLI (network-admin@switch) > vrouter-evpn-duplicate-mac-show

switch       vrouter-name    host-mac          seq

------------ --------------- ----------------- ---

switch       vRouter1        00:12:c0:80:33:6a 7

This output will clear after dup-addr-freeze (180, by default) seconds have elapsed.

Furthermore, the total MAC move count can be periodically checked in the MM (MAC Move) field with this command:

CLI (network-admin@switch) > switch * vrouter-evpn-bgp-routes-show route-type 2 format vrouter-name,rd,vni,mac,route-type,next-hop,extended-community

switch  vrouter-name rd        vni    mac               route-type next-hop  path  extended-community

------- ------------ --------- ------ ----------------- ---------- --------- ----- ------------------------

switch  vr2 100100 2e:d7:27:b9:11:6d 2 66001 RT:465:100100 ET:8 MM:48

switch1 vr1 100100 2e:d7:27:b9:11:6d 2 66001 RT:465:100100 ET:8 MM:48

In addition, typically for troubleshooting purposes, you can see each MAC move being notified and logged on a node by using the following command and looking for the string action MAC_MOVE:

CLI (network-admin@switch) > vrouter-log-show vrouter-name vr2 protocol evpnsnoop





2021-05-21,05:24:26.075.:rs_msg.c:624:rs_msg_vport_update_event_cb  L2_UPDATE mac: 2e:d7:27:b9:11:6d,  log_type l2-modify caller cluster-status: vxlan 100100, vlan 100 reason:modify,evpn-mac-move owner_flags 0x0, over_

tunnel 1791,  2e:d7:27:b9:11:6d action MAC_MOVE ip


which shows the MAC move happening due to a certain host configured with a certain MAC and IP address pair. That information can be compared to the same command output obtained on the other node where the address duplication is also happening.